Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
www.cs.helsinki.fi
Usable Mobile SecurityIntel Institute for Collaborative Research in Helsinki, Finland
N. Asokan
Professor, Department of Computer Science
Intel ERIC, Oct 2013
Home to leading universitiesUniversity of Helsinki: Traditional university
Aalto1 University: Helsinki U. of Tech. + schools of design & business
Tampere University of Technology
...
Innovation hubLocal giants: Nokia, Ericsson, Nokia-Siemens, ...
Recent arrivals: Intel, Samsung, Huawei, ...
New tigers: Rovio, Supercell, ..., lots of startups
1. http://en.wikipedia.org/wiki/Alvar_Aalto
About Finland
Two researchers funded by IntelPostdoc: Sini Ruohomaa
Graduate student: Thomas Nyman
Matching funding by UniversityPostdoc (50%): Hien Truong
Graduate student: Sourav Bhattacharya (full-time from Jan)
Graduate student: Jian Liu
Graduate student: Tanel Dettenhorn (fill-time from Jan)
Intel researchers pursuing PhDElena Reshetova (SSG/OTC)
Brian McGillion (MCG)
ICRI-SC Helsinki personnel
Secure Systems group http://www.cs.helsinki.fi/group/secures/
3
Mobile security that is easy to use and inexpensive to deploy.
1. Next generation hardware TEEs: how to safely expose
hardware-based TEE functionality to app developers?
2. Novel applications of platform security: can existing platform
security mechanisms address security needs of new usage
scenarios?
3. Malware insights: can we use lightweight instrumentation on a
device to predict if it will (eventually) get malware?
4
Initial topics
Get realistic data directly from devices
Estimate malware infection rate (for Android)
Identify risk factors
See if we can predict likelihood of infection!
Our plan
6
“The Company you Keep”
7
time
Device 1 Device 2 ...
set of tuples:
<developerCert,pkgName,versionCode>
?
http://carat.cs.berkeley.edu
Type Malware
Genome
Mobile
Sandbox
McAfee Total
No. of dc matches
(bad devcerts)
6 150 31 158
No. packages
<dc,p,v> with bad
devcerts
3,501 4,925 3,761 5,006
No. packages
matching
<dc,p,v>
0 30 4 32
No. infected devices
(only dc match)
4,716
(15.3%)
7,424
(24.1%)
7,143
(23.2%)
7,843
(25.5%)
No. infected devices
(<dc,p,v> match)
0
(0%)
40
(0.13%)
18
(0.06%)
56
(0.18%)
Incidence of infection
8Data collected from 30 719 devices over 9 weeks
Classifying based on set of apps
9
Can the set of apps run on device predict infection?
Classification attempt using Naïve Bayes (5-fold CV)
Infected
(prediction)
Clean
(prediction)
Infected
(actual)
9 47
Clean
(actual)
753 29910
Classifying based on set of apps
Recall (9/56) and precision (9/762) low?
for classifying infected devices
Lightweight instrumentation: at virtually no cost
Supplementing AV tools, not replacing them
Could serve as inexpensive early warning?
Focus on a small subset for closer analysis
Competition: baseline = 0.18%!
10
Multinomial Naïve Bayes
Malware divided into 4 groups
2 groups constitute “unknown malware” in each round(6 combinations)
training set: 50% clean devices + devices infected by known malware (2 combinations)
test set: 50% clean devices + devices infected by unknown malware
6 rounds, TP/FP ratio 5.0 times better than baseline
Predicting zero day malware
Infected
(prediction)
Clean
(prediction)
Infected
(actual)
32 304
Clean
(actual)
3558 180420
11
Multinomial Naïve Bayes
Malware divided into 4 groups.
2 groups constitute “unknown malware” in each round(6 combinations)
devices in training set (50% of all) containing unknown malware marked “clean” (2 combs.)
devices in test set (50% of all) containing known malware removed before prediction
6 rounds, TP/FP ratio 2.4 times better than baseline
Predicting previously unknown malware
Infected
(prediction)
Clean
(prediction)
Infected
(actual)
12 156
Clean
(actual)
2776 181202
Application: Help AV vendor searching for new malware12
13
Identify vulnerable devices before they are infected?
Application: Help enterprise IT admin identify users for training
1. Secure Open Access to TEEs
Question: how to safely expose hardware-based TEE functionality
to app developers?
Rationale:
• TEE hardware widespread; limited access to app developers
• Emerging standardization (Global Platform, TPM.2, TPM Mobile)
Use case: eg, Apps use TEE crypto for app-specific secure storage.
Stakeholder liaison: Brian McGillion (MCG)
Tanel Dettenhorn, Grad student
Question: can existing platform security mechanisms address
security needs of new usage scenarios?
Rationale: Gap in platform security research and deployment.
Sub themes:
• how to securely migrate apps between devices using existing lightweight
isolation mechanisms?
• can we aggregate feedback from social circles to ease user burden of
authorizing apps?
Stakeholder liaison: Elena Reshetova (SSG/OTC)
2. Novel Applications of Platsec
3. Malware Insights
Question: can we use lightweight instrumentation on a device to
predict if it will (eventually) get malware?
Rationale:
‒ signals indicative of user’s habits (e.g., set of apps) may predict susceptibility to
malware.
Use case: (1) cheaply identify suspicious apps for further analysis
(2) corporate IT admin can monitor “health indicator” of BYO
devices of employees
Stakeholder liaison: Igor Muttik (McAfee)
1) Hien Truong, Postdoc 2) Sourav Bhattacharya, PhD student